At least it’s not just me then. I figured that it could be similar to the issue where people couldn’t install it at all on Ubuntu 14.04 and 16.04, though those issues have since been resolved. Hopefully this will be sorted out soon as well.
@Harambe - I’ll make sure to add a +1 next to that request on the “wish list” for new cloud features. --Katie, Marketing
2 Likes
in addition to that: change at least all mysql-passwords. most CMS and scripts using a database store those passes in plain text in config-files somewhere and vesta even keeps the root mysql pw stored in ~/.my.cnf and those of the users in its own config files… if you consider your system compromised by this hack, do know that this was for sure elevated access, so you have to assume that those password are taken/not safe anymore.
TL;DR; a simple reinstall/restore might not be enough.
3 Likes
Feels worth restating that it’s clear at this stage, the recent update was a security update. The attack vector on VestaCP instances is still not known. Therefore it is impossible to know if it has been patched.
Serghey is clearly working hard on it.
1 Like
I really wouldn’t put anything vestacp related back online just yet…
I only have one vestacp box, port was blocked to the public and it looks clean, performed the upgrade when the patch was released, but still keeping the vestacp service down, just in case… also monitoring its outgoing traffic to warn me if it spikes.
I don’t know how I feel about the roundcube claims either, but I disabled the bundled one and installed my own a while back. Still no signs of compromise on MXroute.
I feel it wouldn’t be just vestacp related if it were a third party software such as roundcube… but who knows anymore.
Edit: could be a multi-vector attack as others suggested, which may include roundcube.
Implementation could have Roundcube doing something interesting, but I’d also agree highly unlikely. At most you’d get the user permissions the web server is running at, roundcube isn’t run as the admin user by default but just by the web server user (with files owned by root).
I’ve moved some stuff over to CWP and some other to cPanel. I managed to get the IP unblocked however.
I wonder how much of a hit Vesta will take due to this.
I don’t think they’ll suffer too much over this… considering it’s a free product and there’s not that many good alternatives out there, and migrating a lot of sites off vesta would be a PITA.
3 Likes
I don’t recall a vulnerability in CWP, but if my instinct has any value: I have never in my life met a strong, security minded coder who believes Teamspeak is a primary and necessary feature for every server. That it has an auto install button has been my primary scare from day one.
1 Like
this indeed got a point. I saved some of the malicious files. on one server the gcc.sh has the group of a user and not admin so obviously a domain of that user has been used. while vestacp ofc is available if you attach the port to a customers domain I doubt vesta-nginx/php-fpm will adapt the correct owner/group.
to have this happened I’d guess it would have to go through normal nginx/apache instead. seems confusing and I have to admit that I use an additional proxy layer sometimes to be able to access vesta without the port, so it might be related.
still the weird HEAD request to /webmail/ matches the timestamp and a domain of that specific user. may be I need to correct my stance towards the roundcube stuff later, we’ll see.
1 Like
As I mentioned before leave your vesta service off. People are reporting being compromised on version 20: Got 10 VestaCP servers exploited - Page 46 - Vesta Control Panel - Forum
Sadly there is not enough information to really go off of.
2 Likes
Updated title and posted an update at top of OP. I don’t want people to get the wrong information and think this patch fixes everything. Heavily editorializing the situation, but I can’t sleep well saying “all good” when I feel super uneasy about the information released so far.
That authentication method is making me cringe - there are built in utilities for this exact purpose.
That’s generally been his style, things that make you cringe but generally function with reasonable security in actual practice. But the reason people don’t do it in those ways will generally be because it’s less forgiving of one little error.
Yeah, same guy just posted in the LET thread as well. Not surprising if it turns out to be true.
Oh god, the LET reply is even worse news than the WHT reply 